Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-17204

Upgrade to Logback 1.2.9 (security)

    XMLWordPrintableJSON

Details

    Description

      Logback 1.2.8 has been released with a fix for a potential vulnerability in its JNDI lookup.

      14th of December, 2021, Release of version 1.2.8
      We note that the vulnerability mentioned in LOGBACK-1591 requires write access to logback's configuration file as a prerequisite.

      • • In response to LOGBACK-1591, we have disabled all JNDI lookup code in logback until further notice. This impacts ContextJNDISelector and <insertFromJNDI> element in configuration files.
      • Also in response to LOGBACK-1591, we have removed all database (JDBC) related code in the project with no replacement.

      We note that the vulnerability mentioned in LOGBACK-1591 requires write access to logback's configuration file as a prerequisite. A successful RCE requires all of the following to be true:

      • write access to logback.xml
      • use of versions < 1.2.8
      • reloading of poisoned configuration data, which implies application restart or scan="true" set prior to attack

      Therefore and as an additional precaution, in addition to upgrading to version 1.2.8, we also recommend users to set their logback configuration files as read-only.

      This is not as bad as CVE-2021-44228 in Log4j <2.15.0 (Log4Shell), but should probably be fixed anyway.

      Attachments

        Issue Links

          Activity

            People

              brandon.williams Brandon Williams
              joschi Jochen Schalanda
              Brandon Williams
              Berenguer Blasi
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: